On Friday, February 7, 2020, the California Office of the Attorney General (OAG) released revisions to its proposed implementing regulations to the California Consumer Privacy Act (CCPA). The OAG will accept comments regarding the proposed changes until Monday, February 24, 2020.

While the majority of the changes are made for clarification purposes, there are modifications or additions that likely affect a business’s CCPA compliance plan.

Below is a list of some of the material modifications or clarifications set forth in the revised proposed regulations:

I. Privacy Policy Updates.

Express requirement written into the regulations that a business who must comply with the CCPA must have a privacy policy that complies with the CCPA.

A business that operates online need only provide an email for submitting requests to know in lieu of the prior inferred requirement that the business have an interactive webform accessible on the business’s website.

II. New/Modified Requirements.

If personal information is collected from a consumer’s mobile device for a purpose the consumer would not reasonably expect, then a just-in-time notice must be provided.

A business registered as a data broker with the OAG does not need to provide a notice at collection to the consumer if it has included a link in its registration submission to its online privacy policy that includes instructions on how a consumer may opt-out.

The rules governing additional disclosures of a large quantity of personal information of California consumers for a commercial purpose (i.e. sale, purchase, sharing for commercial purpose) have been adjusted to apply to 10,000,000 or more California consumers affected in any calendar year

III. Procedural Clarifications.

The definition of “personal information” has been revised to provide that if the business does not link the IP address to any particular consumer or household, and could not reasonably link the IP address, then the IP address is not “personal information”.

Revised examples setting forth appropriate delivery of the initial notice have been provided, specifically for delivery through a mobile application and over the telephone and notice at collection of employment-related information.

Clarification has been provided that electronic signatures complying with the Uniform Electronic Transactions Act qualify with respect to obtaining a signed attestation.

The two-step process for online requests for deletion has been made optional.

Additional clarification has been provided on the required content in a response to a request to know categories.

The CCPA accessibility requirements may be satisfied if the business generally follows recognized industry standards, including the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the Worldwide Consortium.

Additional details on the “Do Not Sell My Personal Information” link and opt-out button have been provided for clarity.

Revised the actions required with respect to back-up or archived data to narrow the scope of when deletion is required.

Clarifies certain actions allowed by a service provider, including internal use of personal information to improve the quality of services and the ability of service providers to respond to requests on behalf of a business.

The OAG did us a favor and included a redline to the originally proposed regulation.

The California Consumer Privacy Act (CCPA) went into
effect January 1, 2020. Many California employers have improperly ignored its
application to their businesses. While most employee rights were carved out of
the CCPA’s application until January 2, 2021, there are still key requirements
under the CCPA that employers of California residents must abide by starting
January 1, 2020.

Does the CCPA Apply
to Your Business?

The CCPA generally will apply to any for-profit company
that does business in California, collects the personal information of
California residents (including employees residing in California)
and either (1) has at least $25 million in annual gross revenues; (2) buys,
sells, shares or receives information from at least 50,000 California consumers;
or (3) derives at least 50% of its annual revenue from selling California
personal information.

If your business satisfies one of the thresholds, then
having California employees is enough to trigger compliance requirements under
the CCPA.

Compliance Required Today With Respect to California
Employees

Effective January
1, 2020, all businesses that satisfy the threshold requirements under the CCPA
are required to provide initial privacy notices to their California resident
employees.

In addition to the
initial notice requirements, California employers should be aware that a data
breach of HR data stemming from a lack of reasonable protections could be the
trigger for a class action lawsuit. It is important for employers to scrutinize
information security policies, properly manage all third party service
providers who have access to HR data and update internal and external privacy
policies to ensure compliance under the CCPA.

Risks of
Noncompliance

The CCPA is enforceable by both the California Attorney
General and through limited private rights of action (specific to claims with
respect to data breaches). Enforcement of the CCPA will begin by the California
Attorney General six months after the publication of final regulations or July
1, 2020, whichever is sooner. Fines can run from $2,500-$7,500 per incident
(for example, a violation involving 10,000 California consumers could result in
fines of $25 million to $75 million).

The California Attorney General (AG) has issued the
long-awaited draft regulations for the California Consumer Privacy Act (CCPA),
which regulations will be officially filed on October 11, 2019. The AG stated
that July 1, 2020 is the expected effective date of final regulations and
enforcement. This is not to be interpreted as a safe harbor, but simply an
enforcement delay. The public may submit written comments to the proposed
regulations prior to December 6, 2019 at 5:00pm. The CCPA is effective on
January 1, 2020.

Below are highlights of the key take-aways from the
proposed regulations:

Disclosure. The regulations provide a clear
emphasis on transparency and set forth format and content requirements for
disclosures and privacy notices.

Requests. The regulations include additional
parameters on the procedures for receiving and responding to consumer requests,
including guidance on timing and reasonings for denying requests. The
regulations also provide detailed guidance on how to verify the identity of a
requesting consumer.

Training and Record Retention. The regulations
reinforce and add guidance to the CCPA-specific training requirements and add
new record retention requirements for consumer requests.

To learn more about whether the CCPA applies to your business and how McGrath North attorneys can assist in implementing an efficient and cost-effective compliance plan, contact McGrath North’s data privacy attorneys.

The California Consumer Privacy Act (CCPA) will go into
effect on January 1, 2020. In September, the California legislature passed a
handful of amendments that may have large impacts on your business’s overall
plan for compliance with the CCPA. The Governor of California has until October
13, 2019 to sign the amendments into law or veto the bills.

The CCPA is a sweeping piece of legislation designed to provide California residents with control over how their personal information is used and shared by businesses “doing business in California”. Businesses who are subject to the CCPA requirements must implement procedures for and facilitate consumer data requests, update their privacy policies and flow-down compliance obligations to their vendors. To determine whether the CCPA applies to you and your business, refer to Tackling the California Market Article.

Employee Data – AB-25. Ultimately, the CCPA will apply
to employee data. However, AB 25 has sun-setted the application of most of the
CCPA’s key provisions with respect to personal information that is collected
about employees. As of January 1, 2020, businesses will have to provide
employees notice about what categories of information the business collects and
the purpose for collection, but businesses will not need to offer employees
opt-out, access, and deletion rights until January 1, 2021. California resident
employees will still be entitled to bring a private right of action under the
CCPA with respect to a data breach.

Business to Business Data – AB 1355. AB 1355 added
new Section 1798.145(l) which provides that certain obligations under the CCPA
do not apply to personal information collected during business to business
communications until January 1, 2021 when new Section 1798.145(l) would become
inoperative. The year-long exemption would apply to “personal information
reflecting written or verbal communication or a transaction between the
business and the consumer, where the consumer is a natural person who is acting
as an employee, owner, director, officer, or contractor of a company,
partnership, sole proprietorship, nonprofit, or government agency and whose
communications or transactions with the business occur solely within the context
of the business conducting due diligence regarding, or providing or receiving a
product or service to or from such company, partnership, sole proprietorship,
nonprofit, or government agency.” Effective January 1, 2020, B2B customer
personnel will still have the right to opt-out of their information being sold
and be entitled to bring a private right of action under the CCPA with respect
to a data breach.

To learn more about all of the CCPA amendments and how McGrath North data privacy experts can assist you in preparing a comprehensive, tailored and practical CCPA compliance plan, contact one of our privacy experts.

Financial Institutions have always banked their privacy practices on the requirements under Title V of the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations. That day is now over! The California Consumer Privacy Act (CCPA) is sweeping in and changing the financial privacy landscape. Many had hoped the CCPA would have an all-inclusive exemption for financial instructions already subject to compliance under GLBA; however, the California legislature has made clear that CCPA’s application will apply to portions of data held by financial institutions.

Scope of Financial
Institution Exemption

CCPA exempts certain types of information that are subject to GLBA. The impact for financial institutions – all of the personal information collected today that is not subject to GLBA will be subject to CCPA (to the extent the financial institution is subject to CCPA). This includes the following information: personal information collected through general advertising and website marketing; personal information obtained from non-financial institution partners; and personal information obtained for commercial (non-personal or household) purposes.

A financial institution will be subject to CCPA if it does
business in California and either (1) has at least $25 million in annual gross
revenues; (2) buys, sells, shares or receives information from at least 50,000 California
consumers; or (3) derives at least 50% of its annual revenue from selling
California personal information.

Financial
Institution Data Likely Subject to CCPA

The initial action financial institutions should take is to perform an internal data mapping exercise. Once the financial institution has determined what personal information it collects that is not subject to GLBA, the financial institution can prepare a practical and efficient CCPA compliance plan for all “non-GLBA” information.

Learn More.

As you are formulating a plan to comply with CCPA, our experienced privacy team is ready to partner with you in determining the most practical approach that minimizes disruptions to your already existing GLBA obligations. Here is a link for more information about our team: Privacy Team

With the California Consumer Privacy Act’s (CCPA)
compliance deadline fast approaching (January 1, 2020), companies are preparing
to comply with the additional complex data privacy and security requirements.
HIPAA-Covered Entities may mistakenly overlook the fact that the CCPA does not
wholly-exempt personal information collected by HIPAA-Covered Entities, but in
turn only exempts information already protected by HIPAA. HIPAA, the Health
Insurance Portability and Accountability Act, requires health care organizations,
employer-sponsored group health plans, healthcare clearinghouses, and other
Covered Entities to ensure the privacy and security of Protected Health
Information (“PHI”). Although the CCPA exempts data that constitutes PHI, a
HIPAA-Covered Entity or related Business Associate must still protect personal
data (or even health data) that is covered by the CCPA but does not satisfy the
definition of PHI under HIPAA.

HIPAA-Covered
Entity Data Could Be Subject to CCPA

What type of data is governed by HIPAA and, as a result,
exempt from the CCPA? PHI is defined as “individually identifiable health
information” held or transmitted by a Covered Entity or its Business Associate,
in any form or medium, whether
electronic, paper, or oral. For example, health information, demographic data,
medical histories, test results, and insurance information are forms of PHI if
they can reasonably be used to identify a patient. Identifiers coupled with
health information such as names, geographic locations, dates, contact information,
social security numbers, and more can also constitute PHI. If the data amounts
to PHI, that data is exempt from the CCPA.

Not all data collected by a HIPAA-Covered Entity amounts to PHI. For example, employment records held in the hands of an employer (rather than held by the group health plan sponsored by the employer) are not PHI. Any data collected by a HIPAA-Covered Entity that is not PHI will be subject to the CCPA (to the extent the entity is subject to the CCPA). However, the CCPA provides for an exception. When a Covered Entity or health care provider maintains health information in the same manner as PHI, even though the health information is not PHI, the CCPA rules do not apply. That being said, applying HIPAA privacy and security rules to non-PHI could be a burdensome task and cause confusion amongst a Covered Entity’s employee population.

What This Means for
HIPAA-Covered Entities

Start your data mapping now. To determine what information is collected that is not protected under HIPAA and, to what extent the CCPA applies to such data, you must understand what categories of information are collected, who it is received from, what’s being done with the data and who it is shared with. From there, you can formulate a CCPA plan that correlates and flows with obligations under HIPAA to ensure efficiencies throughout your data compliance program.

As you are reviewing CCPA application to your entity, reach out to our experienced privacy and ERISA team to partner with you to develop a practical plan that minimizes risk and syncs to your already existing HIPAA obligations. Here is a link for more information about our team: Privacy Team

The data privacy regime is starting to look like more of the wild west every day. A year after companies had to focus resources on complying with Europe’s onerous requirements under the General Data Protection Regulations (GDPR), companies must once again gear-up for the first round of U.S. state efforts to tighten up data privacy rules with California’s new California Consumer Privacy Act (CCPA), which comes into effect on January 1, 2020. Whether you were able to ignore GDPR or not, CCPA sets the data privacy bar higher for most U.S. based companies.

DOES CCPA APPLY TO YOUR COMPANY?

CCPA generally will apply to any for-profit company that does business in California; and, either (1) has at least $25 million in annual gross revenues; (2) buys, sells, shares or receives information from at least 50,000 California consumers; or (3) derives at least 50% of its annual revenue from selling California personal information.

COMPLIANCE WITH GDPR DOES NOT EQUAL COMPLIANCE WITH CCPA.

While many aspects of CCPA read similar to the regulations you may have become familiar with under GDPR, there are clear differences. Like GDPR, CCPA will require companies to carefully craft specific language in their website privacy policy, including providing certain rights to California consumers, such as the right to request what personal information has been collected, the right to request that information is deleted, and the right to access information.

CCPA also includes specific disclosure requirements with respect to the “sale” of California consumer personal information and specific disclosure requirements with respect to personal information of minors. As part of the “sale” disclosures, many companies will need to add a new website opt-out option labeled “Do Not Sell My Personal Information.”

RISKS OF NONCOMPLIANCE.

CCPA is enforceable by both the California Attorney General and through limited private rights of action (specific to claims with respect to data breaches). Enforcement of CCPA will begin by the California Attorney General 6 months after the publication of final regulations or July 1, 2020, whichever is sooner. Fines can run from $2,500-$7,500 per incident (for example, a violation involving 10,000 California consumers could result in fines of $25 million to $75 million).

EXEMPTIONS – GLBA AND HIPPA.

There are specific exemptions with respect to certain types of data under CCPA. If you are a financial institution subject to Gramm-Leach-Bliley Act (GLBA) or a covered entity subject to HIPPA, certain data collected will be exempt. However, financial institutions and covered entities are still subject to CCPA with respect to data not subject to GLBA (non-NPPI) or HIPPA protection (i.e. non-PHI). It is important for companies to understand the interplay between all privacy regulations and set forth a data privacy compliance program that complies with all applicable laws.

WHERE TO START.

Analyzing the application of data privacy regulations can be daunting. McGrath North recommends companies start with data mapping to determine what information is collected, where the information is collected from, and what a company does with the information (including a list of third-parties that the information is later shared with). From here, companies can start to formulate well-thought-out compliance programs that allow them to comply with applicable data privacy laws while maintaining efficient and effective operations.

With a heightened national focus on data privacy and security, these burdensome and sometimes difficult to manage regulations are not going away. Whether you put in place a compliance program to satisfy the requirements of GDPR or not, CCPA and other U.S. state-based data privacy laws will impact almost all nationally operating entities.

McGrath North has data privacy experts to help you work through the weeds of the regulations and to partner with you to determine the most practical and efficient way for your company to implement privacy policies and procedures to ensure compliance. Here is a link for more information on our team: Privacy Team

It’s been more than 1 year since Europe’s General Data Protection Regulations (GDPR) went into effect, and the data protection regulatory front still remains confusing and difficult to trudge through for many U.S. based companies. However, it is clear, there is no slowing down when it comes to increased data privacy regulation. Below is a refresher on the basics of GDPR, as last year we saw many U.S. based companies put aside the issue of whether they needed to focus dollars and time on complying with GDPR. As the regulatory front continues to grow and there is increasing pressure from consumers, customers and vendors to pay attention to data privacy laws (like GDPR), companies who avoided GDPR should review the jurisdictional requirements to confirm their compliance obligations.

WHY CARE – HOW GDPR APPLIES TO U.S. COMPANIES?

Why should a U.S. (or local Midwest based) company pay attention to a set of regulations providing rights (in general) to residents of European nations? The answer is simple; GDPR’s extra-territorial reach allows European nations who have adopted GDPR to latch onto U.S. based companies who have no physical presence in Europe. A U.S. based company with no operations (or other establishment) in Europe will be subject to GDPR jurisdiction if the company either (1) offers goods or services to residents of European nations, or (2) monitors the behavior (i.e. through its website) of residents of European nations.

PRACTICAL WAYS TO START YOUR COMPLIANCE PLAN.

Companies who desire to start formulating a plan with respect to data privacy compliance should start with data mapping. Understanding where and who data is collected from, what the company does with the data and where and who data is shared with will help a company determine what data privacy regimes govern its operations. From there, a company can begin to pull together its data privacy compliance program (whether basic or more sophisticated) to ensure compliance with all applicable data privacy laws.

IMPLEMENTING NECESSARY CHANGES.

Among other things, GDPR requires a company to include specific disclosures in its website’s privacy policy, to have in place consent rights and disclosures with respect to the use of cookies, and to formulate various technical and operational policies and procedures with respect to the treatment and use of data.

Penalties under GDPR for noncompliance can be hefty and upwards of $20 million Euros or 4% of a company’s worldwide annual turnover (whichever is greater). Companies may also be subject to criminal penalties, suits by supervisory authorities or private rights of action by individuals. And today, various European supervisory authorities are beginning to investigate compliance among dozens of U.S. based companies.

GDPR’S NOT FOR YOU – YOUR CUSTOMERS AND VENDORS MIGHT TELL YOU OTHERWISE.

Even if a company determines that GDPR’s jurisdictional reach does not apply to its operations, many U.S. based companies are seeing their customers and services providers require them to comply with the terms of GDPR (through flow-down liability). It is important for companies to understand what they are contractually signing up for and what impact agreeing to GDPR compliance will have.

What this means for most U.S. based companies, is that if GDPR is not yet on your radar (or you subtly ignored GDPR over the last few years), today is the day to review its application and take the necessary steps to gain compliance. With the regulatory focus on data privacy and security, even if GDPR does not apply to your company, almost all U.S. based companies will be impacted by various data privacy state laws working their way through local legislation. Starting with GDPR analysis is just the beginning!

LEARN MORE.

As you are evaluating GDPR’s ongoing impact, our experienced privacy team is ready to partner with you in formulating a practical, effective and tailored compliance approach that minimizes disruptions to your company’s business plans. Here is a link for more information on our team: Privacy Team

Unless you have been paying attention to data privacy news, you may not realize that January 1, 2020, is the implementation date of the California Consumer Protection Act (CCPA) and that July 1, 2020, is the current deadline for the California Attorney General to implement regulations under CCPA. As currently drafted, the CCPA directs the California Attorney General to forego bringing any enforcement action under the CCPA until six months after publication of such final regulations, or July 1, 2020, whichever is sooner.

The CCPA constitutes an expansion beyond California’s existing privacy laws and various provisions of the new law will apply to all businesses that do business in California:

With annual gross revenue greater than $25
million (not just in California),

That obtain or share for commercial purposes the
personal information of 50,000 or more California residents, households or
devices, or

That get 50% or more of their revenue from
selling or sharing the personal information of California residents.

Many non-California
based businesses may be surprised to learn that they fall within the scope of
the CCPA.

The CCPA was
passed quickly to avoid a similar voter initiative ballot measure, and as a
result has numerous ambiguities and apparent inconsistencies. The law was
amended on September 23, 2018, and it is very likely that the law will be
changed again by amendment, and clarified through final rules and regulations,
before it comes into effect on January 1, 2020.

In the
meantime, it is useful to look at what the law, in its current form, will require.
From a practical perspective, for businesses already following California’s
existing privacy laws, some of the main differences under the new law will be: (1)
allowing California residents to opt out of the sale of their personal
information to third parties, (2) getting opt in consent before selling the
personal information of California residents under the age of 16, (3) advising California
residents, upon request and in privacy notices, what personal information the business
has collected about them, how it was collected, why, and if it has been shared
or sold, (4) the introduction of personal information “portability” and deletion
requirements for businesses that maintain covered personal information; and (5)
having a privacy policy that includes both online and offline personal information
collection.

Note that
at this point, the application of the CCPA to employee data remains an open
question. On its face, the CCPA appears to apply only to California
“consumers.” However, the CCPA’s definition of consumer (a California resident)
combined with California’s longstanding practice of protecting individual
privacy rights, suggests that the CCPA also may extend to the personal
information of California residents maintained as part of an employment relationship.
If so, the CCPA would apply to residents of California who are job applicants,
full or part time employees, temporary workers, interns, volunteers,
independent contractors, and even such persons’ dependents or beneficiaries.

While the
CCPA will almost certainly change again before it comes into effect on January 1,
2020, businesses may want to begin thinking now about some of the core new
provisions in that law, in particular, how the business will respond to
consumers’ requests for information about their personal information held by
the business and such consumers’ requests to delete their personal information
held by the business. Note that as
presently drafted, the CCPA requires businesses to maintain a twelve (12) month
look back (as early as back to January 1, 2019) of data processing activities
relating to covered personal information.

Also worth watching is the law’s treatment of private
rights of action. While the CCPA does not contain a private right of action for
violation of any of the new disclosure or individual rights provisions, it does
provide a private right of action for California consumers whose information
has been compromised in a data breach resulting from inadequate security
measures. This essentially codifies the
concept of negligence in California data breaches and, by imposing statutory
damages ($100-$750), may largely affect the pleading and proof of damages in data
breach cases, which is often the issue of greatest dispute. From a litigation standpoint, these statutory
damages plus the broad definition of “consumer” means that plaintiff’s
attorneys may be gearing up to use the CCPA to bring cases against businesses that
do business in California on behalf of a myriad of different groups about whom businesses
typically hold personal information including, for example, end use customers,
employees, shareholders and service providers and vendors.

If you
have questions or would like to discuss the CCPA’s application to your
business, please contact a member of the McGrath North Privacy and Data
Security team.

McGrath North is pleased to host the International Association of Privacy Professionals (IAPP) Privacy After Hours event coming to Omaha on January 26, 2017. Privacy After Hours is a fun and easy way for IAPP members and non-members to get to know other local privacy professionals. There’s no agenda, just show up to the designated location and have a good time! The event is open to anyone who works in or is interested in privacy. The Omaha event will be Thursday, October 15, from 5:30 – 7:30 p.m. at Fox and Hound, Western Crossing Shopping Center, 506 N 120th Street, Omaha, NE 68154.